Having setup my lab's PKI infrastructure previously, one of the next steps I needed to complete was to create a template for certificates for VMware's products to use as they require certain properties to be present in the certificates used.
There is a KB article that covers this but I wanted to run through it and use some of the specifics for my lab.
Template for VMware SSL Certificates
This template will provide certificates for ESXi hosts, vCenter, vRA, vRO etc. To create it, we first need the Certificate Templates Console. This can be opened by running certtmpl.msc.
Per the KB article, I duplicated the "Web Server" template as a starting point. My first task was to give the template a new name and set the validity to 4 years:
On … [Read more...]

A quick recap of where I got to. I have an offline Root CA (well, it's still online because I'll need it in a minute) and I've created a website on my online subordinate CA server to host the Root CA certificate and CRL files.
The purpose of the subordinate CA is to handle certificate signing and repudiation for all services in my infrastructure that require them. It will be granted the authority to do so by the Root CA. So this post covers the remaining steps of the process, which are:
Installing and configuring the subordinate CA
Signing the subordinate CA's certificate using the Root CA
Delegating control of the subordinate CA to someone other than Domain Admins
Some elements of this process are very similar to the process of … [Read more...]

Previously, I setup an offline Root CA in my homelab with the intention emulating a PKI setup that many enterprises seem to run.
The second stage of this process is publishing the Root CA certificate and CRL in a place that they can be accessed when the Root CA is offline. If you recall, I configured the Root CA to publish its CRL etc to a location on pki.o11n.lab. I now need to create that.
The Server
Rather than run my lab's online CA on a domain controller, which might be tempting but causes other issues, I have a domain joined server setup that will eventually become my online subordinate CA.
It's a vanilla Windows 2012 R2 server as before and a domain member.
DNS
The VM is called "ca-01", but I need to have pki.o11n.lab pointed … [Read more...]

Self-signed SSL certificates are all well and good but they're not meant to be for the real world. The trust issues they cause can be a headache on customer projects and anything that's going in to production shouldn't be using them.
For that reason, I thought it'd be better to change my homelab so that it uses a slightly more realistic PKI setup. The first phase of that is creating an offline Root CA as it's something that a good number of customers use too.
Step 1: DNS
From a DNS perspective, my homelab is split up so that anything physical and fundamental to the lab (e.g. storage / NAS, physical hosts, switches etc) lives in its own DNS domain (home.lab). Everything else from vCenter and AD downwards is in one or more other DNS … [Read more...]